jfruh writes "We've learned many lessons in the fallout from Edward Snowden's whistleblowing and flight to Hong Kong, but here's an important one: Never make your sysadmin mad. Even if your organization isn't running a secret, civil-rights violating surveillance program, you're probably managing to annoy your admins in a number of more pedestrian ways that might still have blowback for you. Learn to stay on their good side by going along with their reasonable requests and being specific with your complaints."
Follow Slashdot stories on Twitter
An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."
Trailrunner7 writes "After years of saying that the company didn't need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws. Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That's no longer the case. The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows."
msm1267 writes "Business travelers who tether their iPhones as mobile hotspots beware. Researchers at the University of Erlanger-Nuremberg in Germany have discovered a weakness in the way iOS generates default passwords for such connections that can leave a user's device vulnerable to man-in-the-middle attacks, information leakage or abuse of the user's Internet connection. Andreas Kurtz, Felix Freiling and Daniel Metz published a paper (PDF) that describes the inner workings of how an attacker can exploit the PSK (pre-shared key) authentication iOS uses to establish a secure WPA2 connection when using the Apple smartphone as a hotspot. The researchers said that attackers would find the least resistance attacking the PSK setup rather than trying their hand at beating the operating system's complex programming layers."
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
An anonymous reader writes "As reported earlier on Slashdot it appeared the license covering the MySQL man pages was changed from the GPL to something less good. However, as speculated, this appears to be a bug." The build system was grabbing the wrong files, oops. The fix should be coming shortly: "Once the fixes have been made to the build system, we will rebuild the latest 5.1, 5.5, 5.6 releases plus the latest 5.7 milestone and make those available publicly asap."
Qedward writes with an excerpt at TechWorld about a new project from Jon "Maddog" Hall, which is about to launch in Brazil: "The vision of Project Cauã is to promote more efficient computing following the thin client/server model, while creating up to two million privately-funded high-tech jobs in Brazil, and another three to four million in the rest of Latin America. Hall explained that Sao Paolo in Brazil is the second largest city in the Western Hemisphere and has about twelve times the population density of New York City. As a result, there are a lot of people living and working in very tall buildings. Project Cauã will aim to put a server system in the basement of all of these tall buildings and thin clients throughout the building, so that residents and businesses can run all of their data and applications remotely."
McGruber writes "In an Op-Ed published in The NY Times, Information Technology & Innovation Foundation (ITIF.org) Senior Fellow Richard Bennett claims that 'America's broadband networks lead the world by many measures, and they are improving at a more rapid rate than networks in most developed countries.' Mr. Bennett also says, 'the most critical issue facing American broadband has nothing to do with the quality of our networks; it is our relatively low rates of subscribership.'"
WebGangsta writes "The rumor mill continues to grow closer and closer to reality, as The Verge is reporting the upcoming SERIES 5 TiVo will have 6 tuners, support OTA recording (an old TiVo feature being brought back), storage beyond the 2TB limit, and more. While some would say that TiVo today is nothing more than a Patent Holder (albeit a successful one), there's still a market for a cable box that doubles as a streaming player. Is hardware the future of TiVo, or should they go and just license their software to all? And don't get us started on those 'TiVo Buying Hulu' or 'Apple/Google buying TiVo' rumors... that's a different story for a different day."
mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."
benrothke writes "It's said that truth is stranger than fiction, as fiction has to make sense. Had The Chinese Information War: Espionage, Cyberwar, Communications Control and Related Threats to United States Interests been written as a spy thriller, it would have been a fascinating novel of international intrigue. But the book is far from a novel. It's a dense, well-researched overview of China's cold-war like cyberwar tactics against the US to regain its past historical glory and world dominance." Read below for the rest of Ben's review.
Writing "Wow, this is going to really set the cat amongst the pigeons once this gets around," an anonymous reader links to a story at The Guardian about some good old fashioned friendly interception, and the slide-show version of what went on at recent G20 summits in London: "Foreign politicians' calls and emails intercepted by UK intelligence; Delegates tricked into using fake internet cafes; GCHQ analysts sent logs of phone calls round the clock; Documents are latest revelations from whistleblower Edward Snowden."
Lucas123 writes "Intel this year plans to sell a set-top box and Internet-based streaming media service that will bundle TV channels for subscribers, but cable, satellite and ISPs are likely to use every tool at their disposal to stop another IP-based competitor, according to experts. They may already be pressuring content providers to charge Intel more or not sell to it. Another scenario could be that cable and ISP providers simply favor their own streaming services with pricing models, or limit bandwidth based on where customers get their streamed content. For example, Comcast could charge more for a third-party streaming service than for its own, or it could throttle bandwidth or place caps on it to limit how much content customer receives from streaming media services as it did with BitTorrent. Meanwhile, Verizon is challenging in a D.C. circuit court the FCC's Open Internet rules that are supposed to ensure there's a level playing field."
Nerval's Lobster writes "In case you didn't catch it yesterday, AllThingsD ran a piece endorsing the idea of the software-defined data center. That's a venue where hordes of non-technical mid- and upper-level managers will see it and (because of the credibility of AllThingsD) will believe software-defined data centers are not only possible, but that they exist and that your company is somehow falling behind because you personally have not sketched up a topology on a napkin or brought a package of it to install. If mid-level managers in your datacenter or extended IT department have not been pinged at least once today by business-unit managers offering to tip them off to the benefits of software-defined data centers—or demand that they buy one—then someone should go check the internal phone system because not all the calls are coming through. Why was AllThingD's piece problematic? First, because it's a good enough publication to explain all the relevant technology terms in ways that even a non-technical audience can understand. Second, it's also a credible source, owned by Dow Jones & Co. and spun off by The Wall Street Journal. Third, software-defined data centers are genuinely happening—but it's in the very early stages. The true benefits of the platform won't arrive for quite some time—and there's too much to do in the meantime to talk about potential endpoints. Fortunately, there are a number of resources online to help tell hype from reality."
New submitter RoccamOccam writes "Shortly after the news broke that the Department of Justice had been secretly monitoring the phones and email accounts of Associated Press and Fox News reporters (and the parents of Fox News Correspondent James Rosen), CBS News' Sharyl Attkisson said her computer seemed like it had been compromised. Turns out, it was. 'A cyber security firm hired by CBS News has determined through forensic analysis that Sharyl Attkisson's computer was accessed by an unauthorized, external, unknown party on multiple occasions late in 2012. Evidence suggests this party performed all access remotely using Attkisson's accounts. While no malicious code was found, forensic analysis revealed an intruder had executed commands that appeared to involve search and exfiltration of data.'"
alphadogg writes "Medical device makers should take new steps to protect their products from malware and cyberattacks or face the possibility that U.S. Food and Drug Administration won't approve their devices for use, the FDA said. The FDA issued new cybersecurity recommendations for medical devices on Thursday, following reports that some devices have been compromised. Recent vulnerabilities involving Philips fetal monitors and in Oracle software used in body fluid analysis machines are among the incidents that prompted the FDA to issue the recommendations."
Debian warns on its blog: "The unofficial third party repository Debian Multimedia stopped using the domain debian-multimedia.org some months ago. The domain expired and it is now registered again by someone unknown to Debian. (If we're wrong on this point, please sent us an email so we can take over the domain! This means that the repository is no longer safe to use, and you should remove the related entries from your source.list file.)" Update: 06/14 02:58 GMT by U L : If you're wondering where it went, it moved to deb-multimedia.org, after the DPL (at the time) asked the maintainer to stop using the Debian name.
Nerval's Lobster writes "One year and seven months after beginning construction, Facebook has brought its first datacenter on foreign soil online. That soil is in Lulea, town of 75,000 people on northern Sweden's east coast, just miles south of the boundary separating the Arctic Circle from the somewhat-less-frigid land below it. Lulea (also nicknamed The Node Pole for the number of datacenters in the area) is in the coldest area of Sweden and shares the same latitude as Fairbanks, Alaska, according to a local booster site. The constant, biting wind may have stunted the growth of Lulea's tourism industry, but it has proven a big factor in luring big IT facilities into the area. Datacenters in Lulea are just as difficult to power and cool as any other concentrated mass of IT equipment, but their owners can slash the cost of cooling all those servers and storage units simply by opening a window: the temperature in Lulea hasn't stayed at or above 86 degrees Fahrenheit for 24 hours since 1961, and the average temperature is a bracing 29.6 Fahrenheit. Air cooling might prove a partial substitute for powered environmental control, but Facebook's datacenter still needed 120megawatts of steady power to keep the social servers humming. Sweden has among the lowest electricity costs in Europe, and the Lulea area reportedly has among the lowest power costs in Sweden. Low electricity prices are at least partly due to the area's proximity to the powerful Lulea River and the line of hydroelectric dams that draw power from it."
crookedvulture writes "With its Sandy Bridge and Ivy Bridge processors, Intel allowed standard Core i5 and i7 CPUs to be overclocked by up to 400MHz using Turbo multipliers. Reaching for higher speeds required pricier K-series chips, but everyone got access to a little "free" clock headroom. Haswell isn't quite so accommodating. Intel has disabled limited multiplier control for non-K CPUs, effectively limiting overclocking to the Core i7-4770K and i5-4670K. Those chips cost $20-30 more than their standard counterparts, and surprisingly, they're missing a few features. The K-series parts lack the support for transactional memory extensions and VT-d device virtualization included with standard Haswell CPUs. PC enthusiasts now have to choose between overclocking and support for certain features even when purchasing premium Intel processors. AMD also has overclocking-friendly K-series parts, but it offers more models at lower prices, and it doesn't remove features available on standard CPUs."